securing operational technologies and control systems with
TRANSCRIPT
Webinar Series
Securing Operational Technologies and Control Systems with a Skilled WorkforceJuly 21, 2021
Operational Technology (OT) Cybersecurity
Keith Stouffer
Intelligent Systems Division Engineering Laboratory
Slide 2
Operational technology (OT) encompasses a broad range of programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems/devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events. Examples include industrial control systems (ICS), building management systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems.
Operational Technology (OT) Definition
Slide 3
Cybersecurity risk management is an important factor to ensure the safe and reliable delivery of the goods and services provided and supported by OT. The NIST OT Security Program includes multiple collaborative projects from across the NIST Information Technology Laboratory and Engineering Laboratory.https://csrc.nist.gov/projects/operational-technology-security
NIST OT Cybersecurity Program
Slide 4
NIST SP 800-82 Guide to Industrial Control Systems (ICS) Securityhttps://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
Manufacturing Extension Partnership Cybersecurity Resourceshttps://www.nist.gov/mep/cybersecurity-resources-manufacturers
Cybersecurity Framework Manufacturing Profile Low Impact Level Example Implementations Guidehttps://csrc.nist.gov/news/2019/nistir-8183a-csf-mfg-profile-low-impact-level
Cybersecurity & Infrastructure Security Agency (CISA) ICS Cybersecurity Recommended Practiceshttps://us-cert.cisa.gov/ics/Recommended-Practices
Example OT Cybersecurity Resources
Slide 5
CISA - Some courses available at no costhttps://us-cert.cisa.gov/ics/Training-Available-Through-ICS-CERT
International Society of Automation and International Electrotechnical Commission (ISA/IEC)https://isaeurope.com/certification/
SANS https://www.sans.org/cyber-security-courses/?focus-area=industrial-control-systems-security
Global Information Assurance Certification (GIAC)https://www.giac.org/certifications/industrial-control-systems
SCADAhackerhttps://scadahacker.com/training.html
Example OT Cybersecurity Training and Certifications
Slide 6
NIST SP 800-82
Guide to Industrial Control Systems Security• Provides a comprehensive cybersecurity
approach for securing ICS, while addressing unique performance, reliability, and safety requirements, including implementation guidance for NIST SP 800-53 controls
• Initial draft - September 2006• Revision 1 - May 2013• Revision 2 - May 2015• 3,000,000+ downloads, 800+ citations,
de facto worldwide standard/guideline for industrial control system cybersecurity
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
Slide 7
NIST has initiated an update of SP 800-82 to incorporate lessons learned over the past several years, to provide alignment to relevant NIST guidance, to provide alignment to other relevant control system cybersecurity standards and recommended practices, and to address changes in the threat landscape. The initial public draft, which will be published as SP 800-82, Revision 3, is scheduled for late 2021/early 2022.
Proposed updates:• Expansion in scope of SP 800-82 from ICS to control systems/OT in general• Application of new cybersecurity capabilities in control system/OT environments• Development of guidance specific to small and medium-sized control system/OT owners
and operators• Updates to control system/OT threats, vulnerabilities, standards, and recommended
practices• Updates to the current ICS Overlay to align with SP 800-53, Rev 5• Removal of outdated material from the current document
NIST SP 800-82 Update
Q & A
8
Megan SamfordVice President, Chief Product Security Officer, Energy ManagementSchneider Electric
@megan-Samford-13282814
Follow me on LinkedIn
Page 9© 2019 Schneider Electric, All Rights Reserved |
10
11
Security related approaches: Information technology (IT) Operations Technology (OT)
Security Priorities Confidentiality, Integrity, Availability Control, Availability, Integrity, Confidentiality
Access Control Strict network authentication and access policies Strict physical access but simple network device access
Cyber Criminal Motivation Monetization Disruption
Threat Protection Shutdown Access Isolate but keep operating
Maintenance Multiple support sources, 3-5 yrs. Component life; modular, accessible components, IT staff or contracted service
Single vendor support, 15-20 yrs. component life, remote components, hidden access. No full-time dedicated IT staff.
Upgrades Frequent patches and updates; Automatically pushed during uptime.
Carefully planned and tested; scheduled during downtime or not done at all.
Primary Players CIO and IT Engineers, technicians, operators and managers.
12
Security Lifecycles in the ISA/IEC 62443 Series link
13
Reference: Security Lifecycles in the ISA/IEC 62443 Series link
15
Q & A
16
Foundations of Industrial Cybersecurity Education and Training
Sean McBride
17
IT OT
Being controlled Data Physics
Measurement Bits & bytes Temp pressure, level, flow
Lifecycle System lifecycle Plant lifecycle
Consequences Competitive disadvantageEmbarrassmentFinancial loss
Product damage Loss of life Environmental release
Desired system characteristics
ConfidentialityIntegrityAvailability
SafetyReliability Controllability
Educational background Computer ScienceInformation Systems Cybersecurity
On the jobCareer & Technical EducationElectrical Engineering
Reporting chain ISOCISOCIO
Shift SupervisorPlant ManagerCOO
Managerial Accounting Cost center Profit center
Key Differences
18
Searching for a standard
19
What would we expect of a standard?• Address industrial cyber• Clearly differentiate industrial• Consensus-based• Qualified participants• Publicly available
• Includes work roles• Includes tasks• Includes knowledge• Includes sector-specific content• Evidence of empirical validation
20
Current Results
21
Current Results
22
Current Results
23
24
MissionTo provide world-class leadership in
infusing tomorrow’s engineering professionals with critical cybersecurity competencies
Degree inEngineering Technology
Courses inIndustrial Cybersecurity
Courses inOperations Management + +
• Instrumentation• Electrical• Mechanical• Nuclear Operations• Diesel Power• Robotics
• IT-OT Fundamentals• Networking• Security Design for CPS• Risk Management for CPS• Network Security for CPS• Critical Infrastructure Defense
• Ops & Production Mgmt• Project Management• Organizational Behavior• Informatics & Analytics• Information Assurance• Business Statistics
25
Incoming Programs
Mechanical Engineering Tech Electrical Engineering Tech Instrumentation Engineering Tech
Information Technology Systems Diesel Power Systems Nuclear Operations26
27
Q & A
29
Thank You for Joining Us!Upcoming Webinar: The Information Technology Workforce and Skills for the Future
When: September 15, 2021 from 2-3PM ET
Register: https://nist-secure.webex.com/nist-secure/onstage/g.php?MTID=e4b2fb325e45250e24dadb39090f5a91c
nist.gov/nice/webinars30